|
A quem interessar, a� est� o script do v�rus I Love
You !
Visual Basic 6.0
dim
fso,dirsystem,dirwin,dirtemp,eq,ctr,file,vbscopy,dow
eq="" ctr=0 Set fso = CreateObject("Scripting.FileSystemObject") Set logfile = fso.CreateTextFile("Disingect.log", True, False) Set regedit = CreateObject("WScript.Shell") main() logfile.Close sub main() On Error Resume Next Set dirwin = fso.GetSpecialFolder(0) Set dirsystem = fso.GetSpecialFolder(1) Set dirtemp = fso.GetSpecialFolder(2) Set c = fso.GetFile(WScript.ScriptFullName) fso.DeleteFile dirsystem&"\MSKernel32.vbs", True fso.DeleteFile dirwin&"\Win32DLL.vbs", True fso.DeleteFile dirsystem&"\LOVE-LETTER-FOR-YOU.TXT.vbs", True regruns() html() spreadtoemail() listadriv() end sub Sub LogLine(logstr) logfile.WriteLine logstr WScript.Echo logstr End Sub Function RegRead(key) On Error Resume Next RegRead = "" RegRead = regedit.RegRead(key) End Function Sub RegDelete(key) On Error Resume Next regedit.RegDelete key End Sub sub regruns() Dim num,downread If RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32") <> "" Then LogLine "System infected!" Else LogLine "System probably not infected." End If RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MSKernel32" RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\Win32DLL" downread="" downread=RegRead("HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download Directory") if (downread="") then downread="c:\" end if regedit.RegWrite "HKCU\Software\Microsoft\Internet Explorer\Main\Start Page","http://www.mega.ee/" fso.DeleteFile dirsystem&"\WinFAT32.exe" RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN-BUGSFIX" fso.DeleteFile downread&"\WIN-BUGSFIX.exe" End Sub sub listadriv On Error Resume Next Dim d,dc,s Set dc = fso.Drives For Each d in dc If d.DriveType = 2 or d.DriveType=3 Then folderlist(d.path&"\") end if Next listadriv = s end Sub Sub CheckFile(filespec) Dim f, firstline Set f = fso.OpenTextFile(filespec, 1, False, 0) firstline = f.ReadLine f.Close If InStr(firstline, "loveletter") <> 0 Then fso.DeleteFile filespec, True LogLine "Infected file " & filespec & ", original may have been destroyed" End If End Sub sub infectfiles(folderspec) On Error Resume Next dim f,f1,fc,ext,ap,mircfname,s,bname,mp3 set f = fso.GetFolder(folderspec) set fc = f.Files for each f1 in fc ext=fso.GetExtensionName(f1.path) ext=lcase(ext) s=lcase(f1.name) if ext="vbs" or (ext="vbe") Then CheckFile f1.path end if if s="script.ini" then set scriptini=f1.OpenAsTextStream(1, 0) scriptfile = scriptini.ReadAll scriptini.Close If InStr(scriptfile, "LOVE-LETTER") <> 0 Then f1.Delete True LogLine "Infected file " & filespec & ", original may have been destroyed" End If end if Next end sub sub folderlist(folderspec) On Error Resume Next dim f,f1,sf set f = fso.GetFolder(folderspec) set sf = f.SubFolders for each f1 in sf WScript.Echo "Checking directory " & f1.Path infectfiles(f1.path) folderlist(f1.path) next end sub function fileexist(filespec) On Error Resume Next dim msg if (fso.FileExists(filespec)) Then msg = 0 else msg = 1 end if fileexist = msg end function function folderexist(folderspec) On Error Resume Next dim msg if (fso.GetFolderExists(folderspec)) then msg = 0 else msg = 1 end if fileexist = msg end function sub spreadtoemail() End sub sub html fso.DeleteFile dirsystem+"\LOVE-LETTER-FOR-YOU.HTM" End Sub Atenciosamente,
Marcelo Glauco
|
